Date: Wed, 12 Jan 2011 16:05:16 +0100 From: Frank Bonnet <f.bonnet@esiee.fr> To: freebsd-questions@freebsd.org Subject: Re: protect a single interface with IPFW ? Message-ID: <4D2DC32C.7000800@esiee.fr> In-Reply-To: <AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA@mail.gmail.com> References: <4D2DBF12.3050809@esiee.fr> <AANLkTikLHn=6t3WvuQvdjUGYXobqTwa7YZyfsoJym=ND@mail.gmail.com> <AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot ! On 01/12/2011 04:03 PM, krad wrote: > On 12 January 2011 15:01, krad<kraduk@gmail.com> wrote: > >> >> On 12 January 2011 14:47, Frank Bonnet<f.bonnet@esiee.fr> wrote: >> >>> Hello >>> >>> is it possible to protect a single interface with IPFW >>> my server has only one interface and I want to >>> allow only SSH LDAP LDAPS >>> >>> thanks for any examples >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >> >> something likes this >> >> add pass all from any to any via lo0 >> add pass tcp from w.x.y.z to any 22 in via $int keep-state >> add pass tcp from w.x.y.z to any 389 in via $int keep-state >> add deny ip from any to any >> >> or for pf (better in my opinion) >> >> table<sshhosts> const { hosta, hostb, ... } >> table<ldaphosts> const { hosta, hostb, ... } >> >> set skip on lo0 >> >> block any from any >> pass in quick proto tcp from<sshhosts> to any port ssh synproxy state >> pass in quick proto tcp from<ldaphosts> to any port ldap synproxy sta= te >> >> >> > whops forgot the all important lines. Without these you box itself cant > intiate connections to the outside world > > ipfw add before the deny > > add pass all from any to any out via $int keep-state > > and for pf, add at the end > > pass out from any to any keep state > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= .org" --=20 Frank BONNET 01.45.92.66.17 Service des Moyens Informatique Generaux ESIEE PARIS Cit=E9 Descartes / BP 99 93162 NOISY-LE-GRAND Cedex http://www.esiee.fr <http://www.esiee.fr/>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D2DC32C.7000800>